Human Operated Fraud in Lead Generation
Human operated fraud uses tools to circumvent detection technologies that would normally block abuse, spam, fraud, etc. These detection technologies work using blacklists. By understanding what exactly is being blacklisted enabled tool makers to build and sell tools that circumvent these lists. These tools are the anti-detect browsers.
Anti-detect browsers are such a handy tool. They avoid being blocked by platforms or inferior fraud detection solutions, by simply changing their appearance using fake fingerprints and rotate their IP address by using proxies. These tools are sold to manage multiple LinkedIn, Facebook, TikTok, Google ads, Instagram, Youtube, Ebay, Etsy, Coinbase, Telegram, X, etc. accounts using a single browser. If these big platforms can't detect them, then are these tools really that good!?
Other purposes of these anti-detect browsers are to generate leads using stolen PII data. Generating leads using bots is still a hard problem for bot makers. Luckily for fraudsters, the profits are enough to hire humans in low wage countries and these humans will fill out the lead generation forms manually.
Many different, 30+ listed in this article, anti-detect browsers are on the market. All claiming to have thousands of users. That means there’s a market for this type of service. The unanswered question is at the expense of what?
Fraud in marketing
By now it should be clear that fraud does exist in the digital marketing ecosystem. Impression and click fraud happens and cost real money. The difference between impression/ click fraud and lead generation/ digital sale fraud is the frequency and the financial risk. If a fraudulent impression is made it will cost a brand a fraction of a penny, but if a fraudulent lead is being generated it costs $10+ and if followed up by your call center you might get sued because the callee didn’t provide express consent. That will cost at least $500 : The settlement costs PER CALL and add to that all the legal hours and other overhead costs.
Fraudster only make money with impression fraud and click fraud at scale. They need millions of impressions to make a few thousands bucks. That’s why they have an army of bots doing that type of work, simply because: Bots scale well and are cheap. Manually clicking on advertisements by humans does happen. But, only at small scale, the most known type of fraud is to burn a competitor’s budget. It’s not to make profit, but to hurt another company. In many other cases humans are too expensive for these types of fraud.
That changes in lead generation and digital sales. Because, the potential profit per lead or sale is in the dollars range and a typical human is able to generate many leads per hour, or to buy many Taylor Swift tickets per hour. Knowing the amount of profit per ticket ($100++/ticket), or per generated lead ($10+/lead) it’s a lucrative business.
Simple bots can be detected using simple technology. Once you know what the difference is between a Python script firing requests and a real browser or app [1][2], browser automation versus a regular browser, etc. bots can be detected with ease. It becomes next level when you’re dealing with human operated fraud.
Human operated fraud
Human fraudsters (human operated fraud) use browsers as intended, using a keyboard and mouse, or touch and a virtual keyboard on a mobile device. So, how does the typical fraud detection vendor try to detect human fraudsters?
IP address reputation
Fingerprinting of device and browser
Once fraud has happened an IP address, or fingerprint is put on a blacklist for 30, 60 or even 180 days. Of course this will only solve the fraud problem if fraudsters would use their home IP address and their regular browser. But, they don’t. So, how are these human operated fraudsters able to rotate IP addresses and fingerprints?
How do these human operated fraudsters work?
The goal is to circumvent being blocked by both IP address blacklists and fingerprint blacklists. The poor fraudster’s solution is to use a browser extensions to change the browser’s fingerprint [3]. These browser extensions will be used in combination with free proxies or free VPNs [4]. But, ‘free’ comes with a catch: It can be detected with ease. The usage of browser extensions can be detected from JavaScript. Secondly, free proxies and VPNs operate 99 out of 100 times out of data centers.
Professionals use special anti-detect browsers. These browsers are rented as a service and do cost a monthly fee. Quality has its price. These browsers have built-in features that enable a different proxy server per browser tab, a different device fingerprint per browser tab, a different local storage and cookie jar per browser tab, a different browsing history per browser tab. In other words, each tab looks like a completely separate visitor coming from a distinct location using a completely different device.
Anti-detect browsers support importing and exporting profiles, which means device and browser fingerprint, cookies, local storage, history, etc. can be transferred from desktop A to desktop B and someone else is able to continue a warm session. You might think that this is a lot of manual work? Wrong! Because many of these browsers support a build in REST API [5] in order to automate import and export of profiles. These profiles are typically stored centrally and workers will download such a profile and continue to reach their goal.
Centrally storing profiles also enables bots to warm up profiles by browsing the Internet, collecting cookies, and be tracked over websites of a certain topic groups, etc. Once a profile is ‘warm’ or ‘mature’ implies that it fits an audience and advertisements targeted at this audience will be shown. Now it’s just a matter of browsing to complicit websites and click on the advertisement and finally be redirected to the landing page. This means the attribution goes to the complicit websites.
Humans will fill out the lead generation form, or buy the digital products. Although this can be done by bots, humans are more flexible in unexpected situations when for example lead generation forms are being A/B tested. Also existing fraud detection tools will have a harder time, looking at IP address reputation and blacklisted fingerprints works only after the fact.
Cloud phones
Figure 3 and Figure 4 list 31 anti-detect browsers mostly available for Windows and Mac. Some anti-detect browsers have a Linux or Android version. Some even offer cloud phones, which means that on a desktop you’ll be remote controlling a real physical phone in a data center. The left images in Figure 5 shows that phones in a cloud -which is just a fancy name for a data center- don’t look like your iPhone or Samsung phone with a touch screen, battery, GPS, etc. Nope, these phones are the bare minimum hardware: a circuit board with a CPU, memory, (e)SIM, storage and an installed OS and apps that enable the phone to be remote controlled over the Internet, spoof GPS, and have a remote camera, etc.
Using special anti-detect browsers enables you to use these phones as a service. Connect to them, push your profile (cookies, local storage, device fingerprint, browsing history), and continue whatever session and do you want. And, yes, these phones have SIM cards (virtual eSIMs), so they are able to send/ receive text messages. Figure 5 shows how a box of phones look like and how they can be remote controlled. These are btw real Samsung phones, but without the screen and battery.
Anti-detect browsers can be used for legitimate business. For example, if you manage multiple social media accounts, eg. 5 -- 10 small businesses, you prefer not to have to login/ logout 20 times a day and switch between companies in order to answer questions, post messages, etc. But, the same technology can also be used for less legitimate things. There’s a thin line where privacy ends and a fraudster’s toolbox starts. Do you really need a build-in REST API in your browser to guarantee privacy? Do you really need a marketplace where you can buy a zillion device fingerprints collected from real devices in order to guarantee privacy? Do you really need a unique device fingerprint and proxy per browser tab?
What are they really used for? These anti-detect browsers
What can be achieved with these anti-detect browsers, besides warming up and aging visitor profiles and some lead generation fraud? What are these browsers used for? If you look at how people use these browsers you’ll find that they are used for:
Ticket / Sneaker scalping
Online dating scams
Pig butchering, shazhupan aka investment scams
Fake reviews
Lead generation fraud
Troll farms
Card testing
Inflate social media activity and interactions
Affiliate marketing fraud
Click fraud
Poison surveys
Get free coupons, freebies, promotions, etc.
In Figure 6 an online forum message is shown where someone complains about fraudulent clicks on advertisements and subsequently fraudulent generated leads. Google is not able to detect these clicks, and Google’s algorithm is completely poisoned because it thinks these clicks are legitimate. The last line of the bottom message is the most concerning one. Quote “They essentially refuse to admit there’s any way that invalid traffic can exist outside their ability to detect it”. The arrogance.
Another example of anti-detect browsers can be found on the websites of these browsers, and more specific on the services pages. Figure 7 shows that multilogin can be used for ticket scalping. For those who don’t know what ticket scalping is Figure 8 describes how the ticket scalping solution page explains it. With the best regards to #TaylorSwift
How do fraudsters know these tools work?
How do fraudsters know the claims of these anti-detect browsers are real? They’ll be the worst customers believing any claims. They trust nobody and they know exactly why. Their validation tools are public websites showing their fingerprint and/or VPN/proxy server information.
Whoer.net is a ‘service aimed at vertifying the information your computer sends to the Internet’. They will check the reputation of your IP address, or the VPN/ proxy you are using. Secondly, they’ll check what information is available to be fingerprinted.
These websites will check and show your browser’s fingerprint, and a fingerprint reputation score:
https://pixelscan.net
https://browserleaks.com
In order to validate DNS leaks they’ll use https://dnsleaktest.com/. Some more background info on this: If your webtraffic routed over a proxy server a web server will only see the proxy server’s IP address. DNS traffic from the same host is not routed over that proxy but is sent directly. A session specific DNS query and the difference in IP addresses (proxy IP address vs real IP address) can be detected and may be flagged as fraud.
Other types of leaks (DNS, WebRTC or msleak) can be validated using https://www.perfect-privacy.com/. They offer tests to validate whether your browser leaks your real IP. These are the test URLs:
And many more of these tests exist online.
Now what?
Apparently humans using anti-detect browsers bypass all fraud detections. Once they know how to configure their browser, which settings work best per website or platform, which residential proxy providers have the best (fresh) proxies, which device fingerprints look genuine, they bypass all fraud detections. The existing bot detections at these platforms aren’t effective, because these fraudsters are not using bots, but real browsers with a human interface. They’ll use real phone numbers to receive texts in case of 2FA.
These tools are also used in lead generation, or in digital sales. Humans will manually fill out the lead generation forms and the attribution goes to the affiliate or source that provided the lead. If these sources have knowingly or unknowingly generated fraudulent leads they still get paid. The tcpa and potential litigation risks are for the brand buying and following up on these leads.
So, can this type of fraud be detected?
In lead generation the behavior of fraudsters differs from regular people who will see the lead generation form for the first time. It’s like walking in a store straight to the right section, the right aisle in order to get the articles you want.
Routine and experience and time pressure are hard to detect, but not impossible. It’s like looking at the differences in handwriting. A doctor’s handwriting is impossible to read for normal people. Most people have inconsistent handwriting, though the same quirks and style can be seen in their writing. Professional calligraphists have great control over their handwriting because of knowledge, routine and experience. Someone filling out a multi-stage lead generation form for the first time doesn’t know what is coming, has to read the labels carefully, etc. This behavior is completely different compared to someone filling out hits form for the 53rd time.
Behavioral differences and in particular fraudulent behavior is what Oxford Biochronometrics detects besides the regular browser automation and request based bots. Fraud detection at this stage needs to be done with great care, because false positives are very expensive, ie. missing a business opportunity. False negatives are again expensive in terms of potential litigation risks [6]. That’s why accuracy of fraud detection is of great importance. Oxford Biochronometrics encourages their clients to continuously measure the performance of the fraud detection implementation and some of our client have even A/B tested us against other vendors. The result: They keep on being our client, and we keep on being the best!
Want to know more? Questions? Suggestions? Corrections? Comment, connect or DM
#adfraud #leadgeneration #CMO #tcpa #antidetect #frauddetection
2024-11-21
Update 2024-11-22:
Added section "How do fraudsters know these tools work?"
Updated title image, now includes synthetic IDs
Added section "How do fraudsters know these tools work?"
Updated title image, now includes synthetic IDs
[1] https://www.linkedin.com/pulse/how-make-money-using-fake-browsers-sander-kouwenhoven-esgce
[2] https://www.linkedin.com/pulse/how-make-money-using-fake-android-apps-sander-kouwenhoven-hs1me
[3] https://awesome-privacy.xyz/security-tools/browser-extensions
[4] https://www.linkedin.com/pulse/proxy-servers-root-all-evil-ad-fraud-sander-kouwenhoven-mtt7e
[5] https://en.wikipedia.org/wiki/REST
[6] https://www.linkedin.com/pulse/what-gets-mismeasured-mismanaged-sander-kouwenhoven-2wlee